If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Hybrid View

HowTo Interpret Email Headers

This is a basic tutorial on how to interpret email headers. I recently found myself dealing with co-workers who didn't understand how to read expanded email headers and due to my dealings with spoofed email and the noticeable lack of most people's comprehension of what exactly is contained in an email header, I thought I might elaborate. After visting stopspam's site, I perused through their tutorial and gained a wealth of knowledge that I thought I'd share, in my own simplified manner (All examples are unique and all definitions are my own using stopspam's definitions as a guide).

Here's a sample email header of an email I received with an expanded header. I simplified it somewhat to help break the header down easier. I'm using a valid email so we can assume the fields are valid as well.
(This is an email sent to me from AVG AntiVirus) The numbers in brackets (1) and (2) are not actually part of the email, just numbers indicating a transaction.

This is the first of two transactions that occurred during the path of the email.

(1)Received: from biz.grisoft.cz (ms.grisoft.cz [193.85.188.248])
The box the email was received from - named biz.grisoft.cz (actual ID - ms.grisoft.cz - IP address 193.85.188.248).

by download.grisoft.cz with ESMTP id ADABE1D22E0
The box that received the email - (download.grisoft.cz) using Enhanced SMTP. An ID is placed on the message (ADABE1D22E0) for logging purposes.

for &lt;shagdevil@totalputz.com&gt;; Sun, 9 May 2004 19:04:08 +0200 (CEST)
The intended receiver's email address and the Time and Date of the transfer.(The time can vary depending on its relation to Greenwich Mean Time). May have no relation to the To: field.

This is the second (and last) of the transactions that occurred during the path of the email.

(2)Received: from download.grisoft.cz (download.grisoft.cz [212.67.74.214])
The box the email was received from - named download.grisoft.cz (actual ID - download.grisoft.cz - IP address 212.67.74.214).

by mail.totalputz.com (8.12.11/8.12.11) with ESMTP id i49H4AsK011650
The box that received the email - (mail.totalputz.com) using Enhanced SMTP. The (8.12.11/8.12.11) is just a version of the mail client the box is using. An ID is placed on the message (i49H4AsK011650) for logging purposes.

for &lt;shagdevil@totalputz.com&gt;; Sun, 9 May 2004 13:04:13 -0400
The intended receiver's email address and the Time and Date of the transfer.(The time can vary depending on its relation to Greenwich Mean Time). May have no relation to the To: field.

Message-Id: &lt;20040509170408.ADABE1D22E0@download.grisoft.cz&gt;
This is the permanent ID attached by the box -download.grisoft.cz. This is not the same as the other logging ID's assigned to the email. This is an identifyng feature that stays with the header through the entire path of the email.

Date: Sun, 9 May 2004 19:04:08 +0200 (CEST)
When the email was actually created

Again, this is an oversimplified email header so I could better convey the basics of breaking down an email header and how to follow the path of a typical email. There are many other fields that you may see in a typical email header. Some examples, X-Priority, X-Sender, X-Mailer, X-UIDL, Content-Type, Bcc, Cc, Content-Transfer-Encoding: to name a few.

Here's a sample where some of those fields are used (this is a complete email. I didn't simplify this one). It was sent from Travelocity.